Replaceable item authentication

ABSTRACT

A replaceable item for a host device includes a non-volatile memory and logic. The non-volatile memory stores passwords or authentication values, and/or a cryptographic key. The logic satisfactorily responds to requests for passwords a maximum permitted number of times to authenticate the replaceable item within the host device.

BACKGROUND

Devices that use replaceable items include printing devices, includingstand-alone printers, copy machines, and all-in-one (AIO) devices thatcan perform multiple functions, such as printing, copying, scanning,and/or faxing. Example replaceable items for such printing devicesinclude ink, toner, and/or other types of colorant, includingtwo-dimensional (2D) colorant. Other example replacement items,specifically for three-dimensional (3D) printing devices, include 3Dprinting agent and 3D printing build material.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an example print substance cartridge for aprinting device.

FIG. 2 is a flowchart of an example method that a print substancecartridge or other replaceable item for a device can perform.

FIG. 3 is a flowchart of an example method that a print substancecartridge or other replaceable item for a device can perform toimplement a portion of the method of FIG. 2.

FIG. 4 is a flowchart of another example method that a print substancecartridge or other replaceable item for a device can perform toimplement a portion of the method of FIG. 2.

FIG. 5 is a flowchart of an example method that a print substancecartridge or other replaceable item for a device can perform toimplement a part of the method of FIG. 2.

DETAILED DESCRIPTION

As noted in the background, devices that use replaceable items includeprinting devices. A supply of print substance, such as colorant oranother type of print substance, is stored in a cartridge that can beinserted into a printing device. When the supply becomes depleted, thecartridge can be replaced with a cartridge having a fresh supply of theprint substance in question. Cartridges having different types of printsubstances can also be switched out as desired. As an example, acartridge having general-purpose ink may be switched out for a cartridgehaving photo-quality ink within an inkjet-printing device as desired.

Manufacturers of printing devices also typically make or otherwisesupply the print substance used in the printing devices. From the enduser's perspective, using manufacturer-supplied or manufacturer-approvedprint substance cartridges can facilitate desired output by the printingdevices and/or inhibit damage to the printing devices. For the originalequipment manufacturer (OEM) it may be difficult to guarantee printingdevice output or printing device functioning if the printing device usesthird party cartridges. A third party print substance is beyond thecontrol of the OEM. For example, it could provide for different printoutput or entail a risk of shortening the life of the print device. Insome instances, such as 3D printers, there might even be a safety riskto a user when a print substance is a non-approved print substance. Incertain instances, usage of non-approved print substance may affect awarranty associated with the printing device.

Manufacturers may therefore instill cartridges with authenticationsecurity. A printing device may interrogate the cartridge to determineif it is authentic. If the cartridge is not authentic (e.g., is not OEMapproved), then the printing device may initiate a certain procedure,such as, for instance, informing the end user, such as immediately orsoon after installation.

Techniques disclosed herein provide a novel, innovative authenticationscheme for a print substance cartridge for a printing device, and moregenerally for a replaceable item for a (host) device in which the itemcan be installed (i.e., more generally, the device to which the item canbe connected). The print substance cartridge stores a number ofauthentication values, or passwords. The cartridge includes logic (suchas circuitry like a processor and memory storing code that the processorexecutes, firmware, and so on) to satisfactorily respond to requests forthese authentication values a predetermined maximum number of times.

As used herein, a response to a request for an authentication value is asatisfactory response if the response includes the requestedauthentication value. That is, a response to a request for anauthentication value is a satisfactory response if the response fulfillsthe request by including the requested authentication value. Aunsatisfactory response to such a request is thus one that does notinclude the authentication value that has been requested. Therefore, anunsatisfactory response to a request is one that does not fulfill therequest, because the response does not include the requestedauthentication value.

The predetermined maximum number of times that the cartridge willsatisfactorily respond to authentication value requests can beconsidered as the first such number of authentication value requeststhat the cartridge receives. This is because the cartridge will fulfillauthentication value requests as they are received until the maximumnumber of such requests has been fulfilled. Once the maximum number ofauthentication value requests has been fulfilled, the cartridge will notfulfill any further authentication value requests.

The predetermined maximum number of times that the cartridge willsatisfactorily respond to authentication value requests may be specificto an authentication value. For example, if the cartridge storessixty-four different authentication values, each authentication valuemay be returned the predetermined maximum number of times. Thepredetermined maximum number of times that the cartridge willsatisfactorily respond to authentication value requests may be specificto the printing device making the request. For example, the cartridgemay satisfactorily respond the predetermined maximum number of times torequests from a first printing device in which the cartridge has beeninserted. If the cartridge is removed from this printing device andinstalled in a second printing device, the cartridge may satisfactorilyrespond to requests from the second printing device the predeterminedmaximum number of times as well.

The predetermined maximum number of times that the cartridge willsatisfactorily respond to authentication value requests may be specificto both an authentication value and the printing device making therequest. For example, if the cartridge stores sixty-four differentauthentication values, each authentication value may be returned thepredetermined maximum number of times to a first printing device inwhich the cartridge has been inserted. If the cartridge is removed fromthis printing device and installed in a second printing device, thecartridge may return each authentication value the predetermined maximumnumber of times to this printing device, too.

The predetermined maximum number of times that the cartridge willsatisfactorily respond to authentication value requests may not bespecific to an authentication value or to the printing device making therequest. The cartridge can, in other words, satisfactorily respond tojust a predetermined maximum number of requests regardless of theprinting device making the request, or the authentication value that isbeing requested. Once the cartridge has returned authentication valuesin response to the predetermined maximum number of requests, thecartridge will no longer return an authentication in response to thenext request, even if it is for an authentication value that has notbeen requested before and even it if is from a printing device that hasnot requested an authentication value before.

The print substance cartridge can also store hash values of theauthentication values, or passwords. The hash values provide a way todetermine whether a given authentication value that the cartridge hasprovided is correct. An authentication scheme using such a printsubstance cartridge may include a host printing device that mightrequest four different passwords, or authentication values, stored inthe cartridge. Different printing devices may and likely will requestdifferent passwords from a given cartridge. Similarly, a given printingdevice may and likely will request different passwords from differentcartridges.

FIG. 1 shows an example print substance cartridge 100 for a printingdevice. The cartridge 100 includes a print substance supply 102. Thecartridge 100 may contain any volume of print substance, such as fromseveral milliliters to tens of liters. Different examples of printsubstance include ink for an inkjet-printing device, and liquid orpowder toner for a laser-printing device. Such ink and toner arethemselves examples of two-dimensional (2D) colorant, which is colorantused by a suitable printing device to form images on media like paperthat minimally if at all extend in a third dimension perpendicular tothe two dimensions defining the plane of the surface of the media onwhich the images have been formed. Other examples of print substanceinclude three-dimensional (3D) printing agent and 3D printing buildmaterial, which are used by a suitable 3D printing device to form a 3Dobject that is typically removable from any substrate on which theobject is constructed. Certain print substances, such as ink, may beused for both 2D and 3D printing.

The print substance cartridge 100 includes logic 104. The logic 104 canbe implemented as circuitry within the cartridge 100. For example, thelogic 104 can include a processor, and a non-volatile computer-readabledata storage medium storing computer-executable code that the processorexecutes. In this respect, then, in one implementation, the logic 104may include a microprocessor and embedded software stored on themicroprocessor itself, where the non-volatile computer-readable datastorage medium is integrated within the microprocessor. In anotherimplementation, the logic 104 may include a microprocessor and softwareembedded within a non-volatile medium separate from the microprocessor.

As another example, the logic 104 can be or include anapplication-specific integrated circuit (ASIC) or a field-programmablegate array (FPGA). More generally in this respect, the logic 104 can beimplemented using logic gates. As a third example, the logic 104 may beimplemented as any combination of a processor, software stored withinthe processor or on a medium separate to the processor, and logic gates.

The print substance cartridge 100 includes non-volatile memory 106. Thememory 106 can be semiconductor memory, and is non-volatile in that whenpower is removed from the cartridge 100, the memory 106 still retainsits contents. The memory 106 stores passwords 108, which are alsoreferred to as authentication values herein. The memory 106 can storehash values 110 of, and which can individually correspond to, thepasswords 108. The memory 106 can store a cryptographic key 112 fromwhich the passwords 108 are able to be generated.

The memory 106 stores a number of the passwords 108, which is referredto as the total number of passwords 108. The passwords 108, orauthentication values, are stored by the cartridge 100 so that thecartridge 100 can prove to a host printing device that it is authentic.Stated another way, the passwords 108 are used to authenticate thecartridge 100 within the printing device. The passwords 108 can besecured in an encrypted cryptographic manner, so that the passwords 108are essentially irretrievable from the cartridge 100 outside of theapproaches described herein. The passwords 108 can each be a series ofbits, such as 256 bits.

The memory 106 can store one hash value 110 for each password 108. Thehash values 110 are stored by the cartridge 100 so that the cartridge100 can prove to a host printing device that the passwords 108 arecorrect. Stated another way, the hash values 110 are used to verify thepasswords 108 provided by the cartridge 100 within the printing device.The hash values 110 may not be cryptographically secured in that theyare freely retrievable from the cartridge 100, but may becryptographically secured in that the hash values 110 cannot bemodified. The hash values 110 may be one-way hash values 110 of thepasswords 108, which means that a password 108 cannot be determined justby knowing its corresponding hash value 110, even if the one-way hashfunction used to generate the hash value 110 from the password 108 isknown.

The hash values 110 can be provided by the cartridge 100 in oneimplementation in a way so that a host device is able to validate thehash values 110 as having been generated by an entity (i.e., themanufacturer or supplier of the cartridge 100) that the host devicetrusts. As one example, the hash values 110 may be cryptographicallysigned with a private cryptographic key prior to storage in thecartridge 100. The host device may use a corresponding publiccryptographic key to validate the hash values 110. The private key maynot be stored on the cartridge 100, and is unavailable publicly.

The logic 104 permits retrieval of the passwords a predetermined maximumnumber of times. The logic 104 can permit retrieval of a predeterminedmaximum number of the passwords 108, less than the total number of thepasswords 108 stored in the non-volatile memory 106. In such animplementation, the logic 104 prohibits retrieval of any password 108other than the predetermined maximum number of passwords, even one time,from the memory 106. Such an implementation is described in thecopending patent application filed on Jun. 16, 2016, and assigned patentapplication number PCT/US2016/38211, which is hereby incorporated byreference.

The logic 104 can permit retrieval of the passwords 108 a predeterminedmaximum number of times, regardless of the passwords 108 that arerequested. That is, the logic 104 satisfactorily responds to the firstpredetermined maximum number of requests for the passwords 108,regardless of the passwords 108 within those requests, and does notreturn passwords 108 in response to subsequently received requests forthe passwords 108. The predetermined maximum number of requests for thepasswords 108 to which the logic 104 will satisfactorily respond can beless than, equal to, or greater than the number of the passwords 108. Ifthe predetermined maximum number of requests is less than the number ofthe passwords 108, the logic 104 will never return one or more of thepasswords 108. If the predetermined maximum number is equal to orgreater than the number of the passwords 108, the logic 104 canpotentially return all the passwords 108, but depending on the passwords108 requested in the first predetermined maximum number of requests, maynot ever return one or more of the passwords 108.

The logic 104 can permit retrieval of the passwords 108 a predeterminedmaximum number of times, on a per-password basis. That is, the logic 104satisfactorily responds to the first predetermined maximum number ofrequests for each password 108. For example, if there are sixty-fourpasswords 108, the logic 104 will return the first password 108 thepredetermined maximum number of times, the second password 108 thepredetermined maximum number of times, and so on.

The logic 104 can permit retrieval of the passwords 108 a predeterminedmaximum number of times, regardless of the host printing device thatmade the requests. That is, the logic 104 satisfactorily responds to thefirst predetermined maximum number of requests for the passwords 108,regardless of the host printing device from which each such request wasreceived, and does not return passwords 108 in response to subsequentlyreceived requests for the passwords 108. For example, the predeterminedmaximum number of times the logic 104 returns the passwords 108 may beone hundred. If the logic 104 is installed in a first host printingdevice from which one hundred requests are received, the logic 104 willnot satisfactorily respond to any further request received from thisprinting device. Furthermore, if the cartridge 100 is then removed fromthe first printing device and installed in another, second host printingdevice, the logic 104 will still not satisfactorily respond to anyrequest received from the second printing device.

The logic 104 can permit retrieval of the passwords a predeterminedmaximum number of times, on a per-host printing device basis. That is,the logic 104 satisfactorily responds to the first predetermined maximumnumber of requests that it receives from each printing device. Forexample, the predetermined maximum number of times the logic 104 returnsthe passwords 108 may be one hundred. The logic 104 may be installed ina first host printing device from which fifty requests are received andto which the logic 104 satisfactorily responds. If the cartridge 100 isthen removed from the first printing device and installed in another,second host printing device, the logic 104 will still satisfactorilyrespond to the first one-hundred requests received from the secondprinting device.

The logic 104 can permit retrieval of the passwords 108 a predeterminedmaximum number of times, regardless of the passwords 108 that arerequested and regardless of the host printing device that made therequests. That is, which password 108 was requested in a request andwhich host printing device made the request do not matter as to whetherthe logic 104 will satisfactorily respond to the request. Once the logic104 has satisfactorily responded to the predetermined maximum number ofsuch requests, irrespective of the host printing device that makes thenext request or the password 108 requested in this request, the logic104 does not return the requested password 108 to the requestingprinting device.

The logic 104 can permit retrieval of the passwords 108 a predeterminedmaximum number of times, on both a per-host printing device basis and aper-password basis. The logic 104 can return each password 108 to everyprinting device the predetermined maximum number of times. Once a hostprinting device has received a given password 108 the predeterminedmaximum number of times, the printing device may still receive otherpasswords 108 from the logic 104, and another host printing device canstill receive the given password.

The non-volatile memory 106 used for the storage of the passwords 108can be a write-once, read-limited memory. The passwords 108 are writtento the memory 106 just once, such as during a secure manufacturingprocess. The passwords 108 can be at least functionally erased once thepredetermined maximum number of times has been reached. They may becompletely and indelibly erased from the memory 108 by the logic 104,for instance, in a manner so that “unerasing” or the recovery of theerased passwords 108 is considered impossible. The passwords 108 inquestion may be functionally erased in that these passwords 108 remainstored in the memory 108, but are irretrievable. For example, fuse linksto the physical parts of the memory 108 where the passwords 108 inquestion are stored may be severed, rendering the passwords 108irretrievable and thus functionally erased even though in actuality thepasswords 108 remain in memory.

The memory 106 can store the cryptographic key 112 in lieu of thepasswords 108 when the cartridge 100 is manufactured. In thisimplementation, prior to first usage of the cartridge 100, no passwords108 may be stored in the cartridge 100. Rather, when a password 108 isrequested, the cartridge 100 generates the password 108 “on the fly.”Once the logic 104 has satisfactorily responded to the predeterminedmaximum number of requests, the cryptographic key 112 may be at leastfunctionally erased, in the manner described in the previous paragraph.

FIG. 2 shows an example method 200 that a replaceable item for a device,such as the print substance cartridge 100 for a printing device, canperform. The method 200 can be implemented as computer-readable codestored on a non-transitory computer-readable data storage medium andthat a processor executes. As such, the logic 104 of the cartridge 100can perform the method 200, for example. The replaceable item performsthe method 200 once it has been installed in a host device.

The replaceable item receives a request from the host device for aparticular authentication value of a number of authentication valuesthat the item may store (202). The request may be signed with a digitalcryptographic key, or may be authenticated in another manner. Thereplaceable item determines whether it has already fulfilled apredetermined maximum number of requests for authentication values(204). The predetermined maximum number of requests to which thereplaceable item will satisfactorily respond can be on aper-authentication value and/or a per-host device basis, or on neither aper-authentication value basis nor a per-host device basis.

If the predetermined maximum number of requests has already beenfulfilled (206), then the replaceable item does not send the requestedauthentication value to the host device in which the item is installed(208). However, if the replaceable item has not yet satisfactorilyresponded to the predetermined maximum number of requests, then the itemsends the requested authentication value to the host device (210). Forinstance, the replaceable item may retrieve the requested authenticationvalue from a table of the authentication values stored withinnon-volatile memory of the replaceable item. As another example, thereplaceable item may retrieve a seed value stored within non-volatilememory of the replaceable item (different than that with which thereceived request may have been signed), and generate the requestedauthentication value from the cryptographic key.

The replaceable item can again determine whether the item has nowsatisfactorily responded to the maximum number of requests (212),including the request received in part 202 that has been fulfilled. Ifthe predetermined maximum number of requests has now been fulfilled(214), then the replaceable item may at least functionally erase theauthentication values that it stores (216). If the predetermined maximumnumber of requests is on a per-authentication value basis but not on aper-host device basis, then just the authentication value that was sentin part 210 is erased, and other authentication values are not erased.If the predetermined maximum number of requests is on a per-host devicebasis, regardless of whether this number is on a per-authenticationvalue basis or not, then no authentication value may be erased, becauseother host devices may request the same (or another) authenticationvalue.

In an implementation in which the replaceable item generatesauthentication values from a cryptographic key, erasure of theauthentication values in part 212 means or includes erasure of this key.If the predetermined maximum number of requests is on aper-authentication value basis but not on a per-host device basis, thenthe cryptographic key does not occur until the predetermined maximumnumber of requests has been received for all the authentication values.If the predetermined maximum number of requests is on a per-host device,regardless of whether this number is on a per-authentication value basisor not, then the cryptographic key may not be erased, becauseauthentication values may have to be generated for other host devices.

In one implementation, the authentication value may not be sent untilwhether erasure will be performed is determined—and further if it isdetermined that erasure of the authentication value will be performed,the authentication value may be erased from non-volatile memory untilprior to sending the authentication value. That is, after thereplaceable item determines that the maximum number of requests have notyet been fulfilled in part 206, the replaceable item then determineswhether the maximum number of requests will be fulfilled with thefulfillment of the requested received in part 202. If the maximum numberof requests will still not be fulfilled with fulfillment of the receivedrequest, then the replaceable item sends the authentication value andproceeds. If the maximum number of requests will be fulfilled with thefulfillment of the received request, then the replaceable item copiesthe requested authentication value from non-volatile memory beforeerasing at least this authentication value from non-volatile memory, andthen sends the copied authentication value to the host device.

From parts 208 and 216, and from part 214 when the maximum number ofrequests have not yet been fulfilled, or as an entry point to the method200, the replaceable item can receive from the host device a request forone or more hash values corresponding to one or more authenticationvalues (218). For example, the replaceable item may receive a requestfor all the hash values corresponding to all the authentication values,for just one of the hash values corresponding to just one of theauthentication values, and so on. The replaceable item may receive arequest for one or more hash values even after the authentication valuesare erased in part 216. That is, the replaceable item may not erase thehash values for the authentication values that it erases, for instance.Part 218 can be considered as an entry point to the method 200 in thatthe request for the hash values can be received prior to receipt of arequest for an authentication value.

FIG. 3 shows an example method 300 that is an example of a particularimplementation of parts 202 through 216 of the method 200. Identicallynumbered parts in FIGS. 2 and 3 are performed in the method 300 at leastsubstantially as described above in relation to the method 200. Numbersin parentheses indicate that a given part of the method 300 isimplementing a corresponding part of the method 200. That is, Y(X) inFIG. 3 means that part Y of the method 300 is implementing part X of themethod 200.

The replaceable item receives a request for an authentication value fromthe host device in which it is installed (202). The replaceable itemmaintains a counter of the number of authentication value requests thathave been fulfilled. That is, the replaceable item maintains a counterof the number of authentication value requests to which it hassatisfactorily responded. The counter can be an increment-only counter,which can be increased and not decreased. The counter is stored innon-volatile memory, such as the non-volatile memory 106, and can besecured.

The replaceable item determines whether the counter is equal to thepredetermined maximum number of requests to which the item hassatisfactorily responded to fulfill the requests (302). There may be acounter on a per-authentication value basis and/or a per-host devicebasis, or on neither a per-authentication value basis nor a per-hostdevice basis. If the counter is equal to this predetermined maximumnumber (304), then the replaceable item refuses to send the requestedauthentication value (208).

If the counter is not equal to the predetermined maximum number ofrequests in which the replaceable item has satisfactorily responded(304), however, then the replaceable item sends the authentication valueto the host device in response to and to fulfill the request (210). Thereplaceable item increments the counter (306), and determines whetherthe counter is now equal to the predetermined maximum number of requeststhat the item will fulfill (308). If the counter is not yet equal tothis maximum number (310), then the method 300 is finished (312).However, if the counter is now equal to this number (310), then thereplaceable item can erase the authentication values (216).

In a different implementation, the counter is incremented prior tosending the authentication value. That is, in this implementation, it isdetermined whether the maximum number of authentications will have nowbeen sent with the sending of an authentication value, and if so, thenthe counter is incremented, and after the counter has been incremented,the authentication value is sent. Erasure of the authentication values,if any, can occur in this implementation prior to sending theauthentication value in question. More generally, any action that isperformed due to the sending of the last unique authentication valuethat will be provided by the replaceable item, can be performed prior tosending this last unique authentication value. It is noted in thisrespect that, more generally still, any such action that is performed inconjunction with sending an authentication value (and not the lastauthentication value) can be performed prior to the authentication valueactually being sent.

FIG. 4 shows an example method 400 that is another example of aparticular implementation of parts 202 through 216 of the method 200.Identically numbered parts in FIGS. 2 and 4 are performed in the method400 at least substantially as described above in relation to the method200. Numbers in parentheses indicate that a given part of the method 400is implementing a corresponding part of the method 200. That is, Y(X) inFIG. 4 means that part Y of the method 400 is implementing part X of themethod 200.

The replaceable item receives a request for an authentication value fromthe host device in which it is installed (202). The replaceable itemmaintains a flag corresponding to whether the predetermined maximumnumber of authentication value requests has been fulfilled by thereplaceable item satisfactorily responding thereto. The flag can be asettable-only flag, which can be set but which cannot be cleared. Theflag is stored in non-volatile memory, such as the non-volatile memory106, and can be secured.

The replaceable item determines whether the flag has been set (402).There may be a flag on a per-authentication value basis and/or aper-host device basis, or on neither a per-authentication value basisnor a per-host device basis. If the flag has been set (404), then thereplaceable item refuses to send the requested authentication value(208).

If the flag has not been sent (404), however, then the replaceable itemsends the authentication value to the host device in response to and tofulfill the request (210). The replaceable item determines whether themaximum number of requests to which it will satisfactorily respond hasnow been fulfilled (212). If the replaceable item has not yetsatisfactorily responded to the maximum number of authentication valuerequests (214), then the method 400 is finished (404). However, if thereplaceable item has fulfilled the maximum number of such requests(214), then the replaceable item sets the flag (408), and can erase theauthentication values (216).

In a different implementation, the flag is set prior to sending theauthentication value. That is, in this implementation, it is determinedwhether the maximum number of authentications will have now been sentwith the sending of an authentication value, and if so, then the flag isset, and after the flag has been set, the authentication value is sent.Erasure of the authentication values, if any, can occur in thisimplementation prior to sending the authentication value in question.More generally, any action that is performed due to the sending of thelast unique authentication value that will be provided by thereplaceable item, can be performed prior to sending this last uniqueauthentication value. It is noted in this respect that, more generallystill, any such action that is performed in conjunction with sending anauthentication value (and not the last authentication value) can beperformed prior to the authentication value actually being sent.

FIG. 5 shows an example method 500 that an example of an implementationof part 210 of the method 200. That is, in lieu of sending theauthentication value automatically in part 210 of the method 200, areplaceable item performs the method 500. The replaceable itemdetermines whether it has previously sent the authentication value thathas been requested by a host device in the request the item receivedfrom the device to any host device (502), including the host device inwhich the item is currently installed, as well as any other host device.If the replaceable item has previously sent the requested authenticationvalue (504), the item returns the requested value to the host device(506).

However, if the replaceable item has not previously sent the requestedauthentication value (504), the item determines whether it has alreadysent the maximum number of unique authentication values (508). Forexample, of sixty-four authentication values that the replaceable itemmay store, the item may send no more than sixteen of these values. Ifthe replacement item has already sent the maximum number of uniqueauthentication values (510), the item does not send the authenticationvalue that the host device in which the item is installed has requested(512). The method 500 is finished with the replaceable item not sendingthe requested authentication value, even if the maximum number ofrequests that the replaceable item will satisfactorily respond to hasnot been reached yet.

However, if the replaceable item has not yet sent the maximum number ofunique authentication values, then the item sends the requestedauthentication value to the host device (514). The replaceable item thencan again determine whether the maximum number of authentication valueshas now been sent (516), including the authentication value that theitem just sent in part 514. For example, if the item is permitted tosend just sixteen of its sixty-four authentication values, if fifteenvalues were sent prior to performance of part 514, then a different,sixteenth authentication value is sent in part 514, such that themaximum number of sixteen different authentication values has now beensent.

If the maximum number of unique authentication values has now been sent(518), then the replaceable item can at least functionally erase theauthentication values that it stores and that have not been sent (520).As such, in the ongoing example, once sixteen different authenticationvalues have been sent, the other forty-eight authentication values areerased. Note that each time the method 500 of FIG. 5 is performed, then,the replaceable item can send any authentication value that it sentpreviously up to the permitted maximum number of times that the itemwill satisfactorily respond to authentication value requests.Furthermore, each time the method 500 is performed, the replaceable itemcan send any authentication value that it has not sent previously solong as the maximum number of different authentication values that theitem will send has not yet been reached, up to the permitted maximumnumber of times that the item will satisfactorily respond toauthentication value requests. From parts 506 and 520, and from part 518when the maximum number of unique sent authentication values has not yetbeen reached, the method 500 proceeds to part 212 of the method 200 ofFIG. 2 (524).

The different implementations of parts of the method 200 that have beendescribed in relation to the methods 300, 400 and 500 can be combined ormodified in different ways. For example, the counter of the method 300can be used in conjunction with the flag of the method 400. The method500 can be used in conjunction with the method 300 and/or the method 400as well.

The techniques disclosed herein may improve, or provide for anotherscheme for, cryptographic security of a replaceable item for a device,such as a print supply cartridge for a printing device. A replaceableitem satisfactorily responds to a predetermined maximum number ofauthentication value requests. Once the maximum number of authenticationrequests has been received, additionally received requests will not behonored, even if they remain stored in the replaceable item. Thepredetermined maximum number of requests to which the replaceable itemwill satisfactorily respond can be on a per-authentication value and/ora per-host device basis, or on neither a per-authentication value basisnor a per-host device basis.

We claim:
 1. A print substance cartridge for a printing device,comprising: a supply of print substance for the printing device; anon-volatile memory storing a plurality of passwords and/or acryptographic key from which the passwords are able to be generated; andlogic to satisfactorily respond to a maximum permitted number ofrequests for the passwords to authenticate the print substance cartridgewithin the printing device.
 2. The print substance cartridge of claim 1,wherein the non-volatile memory stores the passwords, wherein the logicis further to functionally erase the passwords after the maximumpermitted number of requests have been received.
 3. The print substancecartridge of claim 1, wherein the non-volatile memory stores thecryptographic key, wherein the logic is further to: generate thepasswords from the cryptographic key; and functionally erase thecryptographic key after the maximum number of requests has beenreceived.
 4. The print substance cartridge of claim 1, wherein the logicis further to: respond to the maximum permitted number of request for apredetermined maximum number of the passwords less than a total numberof the passwords.
 5. The print substance cartridge of claim 1, furthercomprising: a non-volatile memory storing a plurality of hash values ofthe passwords, wherein the logic is to respond to requests for the hashvalues of the passwords.
 6. The print substance cartridge of claim 1,wherein the print substance is one or more of: ink, toner,two-dimensional (2D) colorant, three-dimensional (3D) printing agent,and 3D printing build material.